Date: Sat, 24 Jul 2021 23:48:26 +0200 From: infoomatic <infoomatic@gmx.at> To: freebsd-jail@freebsd.org Subject: Re: iocage, vnet jail does not go outside Message-ID: <3c0bcf3e-541f-5add-47cd-9457d4e5dc85@gmx.at> In-Reply-To: <YPv7qCwQ18cF%2B5Ba@mithril.foucry.net> References: <YPrwCW44LdKfHxIk@mithril.foucry.net> <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at> <YPv7qCwQ18cF%2B5Ba@mithril.foucry.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
sorry to hear that.
I use the tools from the FreeBSD base system, they work great, and I
encourage all newbies to use the tools from the base systems - and
recommend reading the parts of the handbook and the man pages of jail
and jail.conf
Here are the relevant parts of my config:
rc.conf:
cloned_interfaces=3D"bridge0"
ifconfig_bridge0=3D"inet 192.168.1.1 netmask 255.255.255.0 up"
pf.conf:
nat pass on em0 proto tcp from {192.168.1.201} to any -> pu.bl.ic.ip
and the jail.conf:
example {
=C2=A0=C2=A0=C2=A0 host.hostname =3D example;
=C2=A0=C2=A0=C2=A0 vnet;
=C2=A0=C2=A0=C2=A0 vnet.interface =3D "epair201b";
=C2=A0=C2=A0=C2=A0 path =3D"/jails/$name";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201 create";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201a up";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig bridge0 addm epair201a";
=C2=A0=C2=A0=C2=A0 exec.prestop +=3D "ifconfig epair201b -vnet $name";
=C2=A0=C2=A0=C2=A0 exec.poststop +=3D "ifconfig epair201a destroy";
}
and the /jails/example/etc/rc.conf:
ifconfig_epair201b=3D"inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter=3D"192.168.1.1"
hope this helps,
Robert
On 24.07.21 13:38, Jacques Foucry wrote:
> Le vendredi 23 juil. 2021 =C3=A0 23:06:41 (+0200), infoomatic =C3=A0 =C3=
=A9crit:
>
> Hello Robert,
>
> Thanks for your answer.
>
>> iocage autoatically creates a bridge with your physical interface and
>> the vnet interface. Imho this is wrong behaviour so I quit using iocage=
,
>> however, there is a workaround, for more info see [1]
>
> I read carfully the issue your pointed and it appears that the
> vnet_default_interface parameter set to auto, em0 is added to the bridge=
, set
> to none, em0 is not added to the bridge.
>
> So I stopped my jail, destroy bridge0 interface, set vnet_default_interf=
ace to
> none and restart the jail.
>
> As exepected em0 is not in the bridge any more:
>
> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu 1500
> description: jails-bridge
> ether 58:9c:fc:10:ed:66
> inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> member: vnet0.657 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> ifmaxaddr 0 port 6 priority 128 path cost 2000
> groups: bridge
> nd6 options=3D9<PERFORMNUD,IFDISABLED>
>
> Since from the jail I cannot ping anything, from outside I cannot connec=
t to
> the jail and from the jail I cannot connect to outside host.
>
> In fact, see quickly, the situation is worst.
>
> I did not look at the routing tables yet (too many other things to do).
>
> As I understood your did not use iocage any more. Did you use the "raw"
> method (ie /etc/jail.conf)? If yes, I am really interested of "picture" =
of
> your configur=C3=A6tion.
>
> To be honest, I used to try the "raw" method whithout success before tri=
ng
> iocage.
>
> Thanks for your time and advices.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c0bcf3e-541f-5add-47cd-9457d4e5dc85>